Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Data Management & Security

advertisement 
Data Management &
Security
www.davidcorp.com
1.800.55.DAVID
Data Management
2:15 - 2:45 p.m.
Data Management – The Second Concern
Moderator: David Tweedy, CMC, MBA, Director, Risk
Management Information Systems, Bickmore
www.davidcorp.com
COMMIT
Mark E. Dorn, President & CEO, DAVID Corporation
Learn how to securely and efficiently store, access and
manage information. This session will cover cloud versus on
premises, Commercial Off The Shelf Software (COTS)
systems, MS Office, custom solutions, other tools and
applications, user interfaces, protecting information and IP,
secure storage, backup and recovery.
Question - Who Is Gregg Steinhafel ?
Resigned From ?
_______________________
For His Executive Management
Responsibility Of ?
_______________________
Involved How Many People ?
10,000 or 70M or 120M
His Compensation For 2013 ?
_______________________
www.davidcorp.com
Answer - Who Is Gregg Steinhafel ?
Resigned From
Target Department
Stores
For His Executive Management
Responsibility Of
Data Breach
Involved How Many People
70,000,000
His Compensation For 2013
$20,600,000
It’s Over
Dog’s Compensation
Likely Ongoing
www.davidcorp.com
It’s Wednesday…At Your RISK POOL
1. What Reports On Data Management Security
Did You Review This Week?
2. What Is Your Funding Level For Data Management & Security?
3. If You Have A Data Breach (Lost/Stolen Data or Corrupted Data)
Are You Sure You Are As Ready As Your Board & Members Expect?
To Defend?
To Respond?
To Fix?
www.davidcorp.com
Hardware & Infrastructure Budgets
www.davidcorp.com
Many Of Us Have Info Security Programs (ISP)
But how well do we understand data management & security risk?
External Threats
Security
Internal Threats
COMMIT
Graphic Source: https://www.harlandclarke.com/dv/0909/07.php
www.davidcorp.com
Pools Exposed To Consumerization of IT
48% Of Employees Use
Work PC’s For Personal
www.davidcorp.com
Pools Becoming A Borderless Enterprise
Data has moved beyond
the enterprise firewall:
Laptops / Home Offices
USB Sticks / WiFi / VPN
and more…
www.davidcorp.com
Increasing Internal & Partner Data Risks At Pools
Insiders & Partners have direct
access to your most sensitive data
70% of all serious incidents
are sparked by insiders.
IDC Worldwide Security Products and Services
Lost Laptops
& Devices
www.davidcorp.com
How many
Disgruntled
Employees
File Sharing
Software
of us use Drop Box? Where is Drop Box?
IT Resourcing Models At Pools
• Do It Yourself On Premise
– Laptop/Workstation,WiFi Routers
– On-premise server(s), data center
• Hosting (use another’s resources)
– Shared or Dedicated
– Various Forms of Cloud
– Co-location
www.davidcorp.com
Data Center Management Solutions
Configuration
Management
Automated
Provisioning
and Updating
of Physical
and Virtual
Environments
Server
Consolidation
Through
Virtualization
www.davidcorp.com
End to End
Monitoring
Proactive Platform
Monitoring
Application &
Service Level
Monitoring
Interoperable
and Extensible
Platform
Server
Compliance
Configuration
Controls and
Reporting
Centralized
Security Auditing
Comprehensive
Security & Identity
and Access Mgmt
Data Protection
and Recovery
Business
Continuity Through
Virtualization Mgmt
Backup
and Recovery of
Physical and
Virtual Resources
Disaster Recovery
End to End Monitoring
Proactive platform, application and service-level monitoring
•
Challenges
For Pools
•
•
Capabilities
•
IT services, applications and
servers must run smoothly
Increasing pressure for
service levels that ensure
optimal uptime and
responsiveness
Proactively monitor
availability, performance and
configuration across
heterogeneous platforms
POOL Applications
Databases
Perform deep application and
service-level monitoring
Claims & Policy
www.davidcorp.com
Servers
Other Apps
Web Servers
Portals
FROI
Concepts of ZERO Trust
All resources are accessed in a
secure manner regardless of
location.
Access control is on a “need-toknow” basis and is strictly
enforced.
Verify and never trust.
Visibility: Inspect and log all traffic.
The network is designed from the
inside out.
www.davidcorp.com
Zero Trust Data Protection
Policy-Based, Encryption-Enabled Data Protection.
– Protect Data from Leakage and Theft: Enforce usage policies for all
removable devices and media.
– Increase Data Security: Define forced encryption policy for data flows onto
removable devices / media. Flexible exception management. Ensure that
data cannot be accessed if removable devices or media are lost or stolen.
– Continuous Audit Readiness: Monitor all device usage and data transfers.
Track all transferred files and content. Report on all data policy compliance
and violations.
www.davidcorp.com
Example Secured Web Access
•
RSA SecurID® hardware tokens provide "hacker-resistant" two-factor
authentication,for user identification. Based on time synchronization
technology, this authentication device generates a simple, one-time
authentication code that changes every 60 seconds.
www.davidcorp.com
Gardner Magic Quadrant
Magic Quadrant for Web Fraud Detection
www.davidcorp.com
Data Management Access - Questions
Q? - How do we (safely) provide access to, and maintenance of, all
member data by both the pool and members? - Via Online & Portals
This includes claims data, contact information, policy information,
certificates, completed training, completed inspections, exposures,
underwriting processes, and more.
Q?- How do we (safely) and most efficiently manage data…. program
structures, excess coverages and reinsurance, and track retentions and
then provide quick access to program participation and retention levels?
COMMIT
www.davidcorp.com
Data Security and Privacy
Q? - How do we feel better (safer) about our security and privacy? We
have policies and technology in place, but there are so many regulations,
and so many changes.
Security is an All-or-Nothing proposition
= You are as secure as your weakest link.
J. Bako, VP David Corp.
COMMIT
www.davidcorp.com
Today’s Agenda – Data Management
Security 1
Security 2
Pool Questions
www.davidcorp.com
Security – Part 1
Security 1
• Policy And Governance – Risks And Content
• SOC II audits are generally the standard
• Testing is against pre-defined security/trust principals
• Governance is based upon higher standards
• Network & Device Security
• Network layer N/S/E/W security in a cloud environment
• Authentication within the VPN
• Common Deficiencies
www.davidcorp.com
COMMIT
• Staff & Data Security
Security – Part 2
Security 2
• Application Content
• HIPAA & PII Data
• Access Management and Authentication
• Application Security
• Data Center / Host System & Vendor Security
COMMIT
www.davidcorp.com
Security 1 – Policy And Governance
Security 1
Risks Of Policy Content
Without defined security policies and standards,
it may be difficult to comply with legal,
regulatory and industry requirements or
ensure protection of sensitive data.
COMMIT
www.davidcorp.com
Security 1 – Policy And Governance
Security 1
Policy Content
Risk based plans should reference and/or utilize industry
accepted standards/practices such as ISO, COBIT, ISACA,
ITIL or NIST.
Ex. National Inst. Of Standards And Technology
Security policies should be published, and accessible to
appropriate employees and contractors.
COMMIT
www.davidcorp.com
Security 1 – Policy And Governance
Security 1
For App Vendors, Hosting Sources & Client Personnel

Is there a written policy for handling, storing and disposing of sensitive PHI/PII data?
 What documented procedures are in place for incident or similar security breech issues?
 What help desk or system administration procedures are in place for servicing user
requesting password resets, new access rights or change of privileges?
 What policies exist for configuring servers or Virtual Machines (VM’s)
 What are the policies for VPN set up and access?
 What Network based Intrusion Detection Systems (NIDS) are part of the monitoring
policy?
 What vulnerability assessment plan and schedule is in place?
 What external penetration plan and policy is in place? Without it you are non compliant.
www.davidcorp.com
Security 1 – Policy And Governance
Security 1
Common Areas Of Policy Content Deficiency
Patch Management
Encryption Policy
Human Resource Policy
Access Control
Incident Handling and Reporting
Disposal of Resources
System Backups
Disaster Recovery
www.davidcorp.com
COMMIT
1.
2.
3.
4.
5.
6.
7.
8.
Security 2 - Application Security
Security 2
Define All Applications
Content Areas……
1.
2.
3.
4.
5.
Purpose & Risks
Users Profiles
Qty Of Users
Key Components (Web Servers, Server, Database, Appliances)
Personal Identifiable Information (PII) or Protected Health Information
(PHI)
6. Host/Data Store
7. Remote Access For App Management Required (ex VPN) For Routine
Remote Data Delivery Needs
www.davidcorp.com
To Whom Does HIPAA Apply?
• Business Associates – TPA’s, Bill Reviewers, RMIS Vendors
Provides a service that involves the disclosure of
protected health information
Business Associates are now
directly liable…..
Organizations that “create, receive,
maintain or transmit,” PHI data are
BAs
www.davidcorp.com
What is Protected Health Information (PHI)
Individually Identifiable
List of 18 Identifiers
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Names
Geographic subdivisions smaller than State
All elements of dates except year
Phone & Fax numbers
Electronic mail addresses
Social Security numbers (SSN)
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers
Full face photographic images
Any other unique identifying number
www.davidcorp.com
Health Information
Health information means any information,
including genetic information, whether oral or
recorded in any form or medium, that:
(1) Is created or received by a health care
provider, health plan, public health authority,
employer, life insurer, school or university, or
health care clearinghouse;
and
(2) Relates to the past, present, or future
physical or mental health or condition of an
individual; the provision of health care to an
individual; or the past, present, or future
payment for the provision of health care to an
individual.
Where Is The (PHI) Data In Your Pool
Covered
Entity
Business
Associate
& Sub
contractor
• Health Plan & Clearinghouse
• Health Care Provider (with electronic HIPAA transaction)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
www.davidcorp.com
Claims processing or administration
Data analysis, processing or administration
Utilization review
Quality assurance
Patient safety activities
Billing
Benefit & Practice management
Repricing
Legal
Actuarial
Accounting
Data aggregation
Management
Administrative
Accreditation
Financial
HIPAA & Data Management
How Does HIPAA Apply to Data Management And Hosting?
A data storage company service provider that has access
to protected health information (whether digital or hard
copy) qualifies as a business associate, even if the entity
does not view the information or only does so on a
random or infrequent basis.
-HIPAA Omnibus
www.davidcorp.com
31
Need for IT Actions & Control
Information system activity review (Required). 45 CFR § 164.308 (a) (1) (ii)
(D)
Implement procedures to regularly review records of information system activity,
such as audit logs, access reports, and security incident tracking reports.
Standard: Documentation. 45 CFR § 164.316 (b) (1)
(i) Maintain the policies and procedures implemented to comply with this subpart
[SUBPART C – Security Standards for the Protection of Electronic PHI] in
written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by this subpart to be
documented, maintain a written (which may be electronic) record of the action,
activity, or assessment.
Time limit (Required). 45 CFR § 164.316 (b) (2) (i)
Retain the documentation required by paragraph (b)(1) of this section for
6 years from the date of creation or date last was in effect, whichever is later.
www.davidcorp.com
Security 2 – Access Mgt & Authentication
Security 2
Access Management & Authentication Content Areas
 Does the app or services allow ability to delegate user authentication
or federated authentication?
 Does the app leverage enterprise authentication services (LDAP protocol, MS Active
Directory) ?
 Does the app support password policy requirements (password expiration at 60,90,120 days,
lock a user account in x login attempts, prevent users from reusing passwords, set minimum
password length or complexity upper/lower case, lock out time period enforcement, force new
users to change new first login passwords, use new password reset questions?
 Are usernames and passwords transmitted using encryption?
 Limit concurrent access for the same user account?
 Restrict access rights to privileges, user Id’s, job roles, job functions?
www.davidcorp.com
COMMIT
 Auto log off of a user based on inactivity?
Security 2 - Application Security
Security 2
Remote Access
 Does app have built-in functionality to provide remote access?
 Will remote app access by a vendor be required?
 Will remote app be ….web based, certified and non client involved?
 Can remote access users gain access to command line or script level access?
 Can the app or service restrict access to the app based on IP location?
 How does the remote hosting vendor test the application for SLA requirements?
COMMIT
www.davidcorp.com
Security 2 - Application Security
Security 2
Personnel Security
 Are background checks done on personnel who will have administrative access to
servers, applications and data. How frequently?
 Do support personnel have security certifications (CISSP, GIAC, VSA)
 Do the staff have 5-7 years or more in network security?
 Does the staff have HIPAA training for access to PHI?
 Are written policies and procedures in place to require notification in X Days to
clients when sensitive data has been compromised?
www.davidcorp.com
COMMIT
 What policies and procedures are in place when a hosting employee is terminated or
his/her access is terminated
Security 2 - Application Security
Security 2
Data Center Security
 Is the Datacenter SAS 70 or SOC2 Type 2 Certified?
Controlled Access, UPS In Place, Server Racks Locked
SOC2 Report Available For Review And Updated?
 Who/how has ability to install critical OS, Web, browser and database security patches?
 What access logs are created and reviewed…and how often?
 Video Coverage in place and Logs of all access to the infrastructure equipment
 Backup and Restoration of data, how is this accomplished and is the process audited?
 Does the app vendor or host store data segregated from other customer data?
 Does the app vendor only store the data in the United States?
Is data encrypted before sending it over Internet or open network?
What type of encryption is used? Is it (Government) FIPS 140-2 Compliant?
www.davidcorp.com
COMMIT
 Does the app vendor completely delete data when a client officially deletes it from their
web services? How many copies of my data are being collected?
Security 2 - Application Security
Security 2
Penetration testing report provided?
Risk
Absence of penetration testing may lead to non-compliance as per
regulatory requirement and non-identification of system vulnerabilities.
Recommendation
Penetration testing should be performed on regular basis to identify any
potential weakness in the environment.
COMMIT
www.davidcorp.com
Security 2 - Application Security
Security 2
Application Security For Applications
Do third parties conduct security assessments on your
application or service? When was the last review?
Are all web applications and web admin access programs developed based on secure coding
guidelines like Open Web Application Security Project Guide, WASC Threat Classification or
SANS Top 20?
Does the app verify all parameters are validated or encoded before being included
on a web page (XXS)
Does the application check for SQL injection flaws when user data is entered
Does the app prevent attacker from direct manipulation of object references
like files, directories, database records via the url
www.davidcorp.com
COMMIT
Does the app check and prevent remote file inclusion (RFI)
Security 2 - Application Security
Security 2
MITRE maintains the CWE (Common Weakness
Enumeration) web site, with the support of the US
Department of Homeland Security's National Cyber
Security Division, presenting detailed descriptions of the
top 25 Software errors along with authoritative guidance
for mitigating and avoiding them.
That site also contains data on more than 700 additional
Software errors, design errors and architecture errors that
can lead to exploitable vulnerabilities.
COMMIT
www.davidcorp.com
Security 2 - Application Security
Security 2
COMMIT
www.davidcorp.com
Security 2 - Application Security
Security 2
COMMIT
www.davidcorp.com
Security 2 - Application Security
Security 2
Application Security For Web Applications
Does the app check for and require authorization token submission by the browser

Is the app tested to make sure info not leaked via error messages

Does the app or service support SSL v3/TLS

Does the app use IP ports 80 and 443 http / https

Does the app have controls to prevent direct data manipulation

Does the app record in an audit file all direct access to the database

Is a web scanning tool run on the app regularly

Is the app supported by certified web programmers
– GSSP Secure Software Programmer
www.davidcorp.com
COMMIT

Security 2 - Application Security
Security 2
Host Security
 Is enterprise antivirus, anti-spyware and host intrusion prevention software installed
 How/who is installing critical O/S, web, browser and database security patches within
x days of release?
 Who/how are local administrator level rights managed?
 Who/how are clients notified if a security breach occurs with application or hosting
service?
 How much up time is expected? What is the typical down time and recovery time?
 Is the hosting service security program audited and certified?
www.davidcorp.com
COMMIT
 Is the app hosted with other app clients on the same server or is the server single
tenant?
Security 2 - The Fog About Cloud & SaaS
Negative Issues With SaaS
•
•
•
•
•
Doesn’t Make Integration Work Easier (HR/WC)
Doesn’t Auto Integrate With Other SaaS Apps
Costs Are Not Always Less Than Licensed or Hosted
Organization Integration Needs
Often Consumer Oriented Functionality
(Ex. Facebook Login)
Positive Issues With SaaS
•
•
•
•
•
•
Common Code Base & Easier Upgrades
Mobile & Easy Initial Deployment
Pay As You Go Model
Scalability
Simple Disaster Recovery
Geo Replication
www.davidcorp.com
Security 2
Data Management In Pools – Top Goals
Find Your Blend
High Performance
Security
Data
Management
Privacy
Compliance
www.davidcorp.com
Don’t Be A Target
Member Questions
www.davidcorp.com
1.800.55.DAVID
Disaster Recovery
Questions 3
Q? How do we really give Disaster Recovery a good test?
 Disaster Recovery Testing is not a single occurrence or event; it is an ongoing process.
 Test for system failure, data theft and data corruption.
 In some cases, the cost of maintaining a Disaster Recovery mindset and performing
Simulation Testing can actually outweigh the risk and cost of an actual disaster.
 Focus on the anticipated types of disasters, probability of occurrence, and projected
damage associated to better understand the actual financial impact. The results can then
be weighed against the cost of an accommodating Disaster Recovery Plan to ensure
financial feasibility.
COMMIT
www.davidcorp.com
Personal Identifiable Information (PII)
Questions 3
Q. How do we keep personal identifiable information
(PII) out of the e-mail system?
Reduce the risk of exposure is to look towards alternate communication mechanisms
altogether, understanding email is a highly insecure platform by nature and often
overused.
When there is no alternative but to email PII, measures should be taken to use either
message- or transport-based encryption.
COMMIT
www.davidcorp.com
Data Management Solutions
Questions 3
Are there solutions to better help support the
following member management activities?
Manage program Manage and track
Manage and track
participation
membership
member
in
training,
return
to
start and stop
contributions;
work or triage
www.davidcorp.com
programs, EAP
programs, or other
pool activities
and determine and
provide ex-mods
COMMIT
dates, retentions,
locations and
contacts
Data Management Risk Questions
• Are there new Threats?
• Do I have new Vulnerabilities?
• Is there an increased Likelihood of
Occurrence?
• Has the Impact increased?
www.davidcorp.com
Questions 3
Q? - Guidance on When to Use Cloud?
• Cloud can also be a way to increase IT
resources in line with your business needs.
– Ramp up resources when you need more
– Ramp down resources when not needed
– Avoid on-going capital outlays
• Cloud Can Be A Tool for Risk Management
–
–
–
–
Assume
Reduce/Control/Mitigate
Transfer
Avoid
www.davidcorp.com
Questions 3
Adjourn
www.davidcorp.com
1.800.55.DAVID
When to Use IT Data Architecture?
High
Control /
Mitigate
Avoid
Likelihood
Combination of Risk Transfer ,
Control /Mitigation, Avoidance, or
Assumption
Depends on Organizational
Capabilities and Risk Tolerance
Low
Transfer
Assume
Low
High
Impact
www.davidcorp.com
Related documents
Big Brain Quiz
Big Brain Quiz
poster_Lets_go. - TU Delft Institutional Repository
poster_Lets_go. - TU Delft Institutional Repository
10 Ways to Help Students Think Critically
10 Ways to Help Students Think Critically
strait - Newton.K12.ma.us
strait - Newton.K12.ma.us
Fruit Stand App Project - University of Pennsylvania
Fruit Stand App Project - University of Pennsylvania
Government Outreach APP
Government Outreach APP
Download
advertisement